How do I keep my server/cloud computer powered by Debian Linux 9.x or 8.x current with the latest security updates automatically? Is there is a tool to update security patched automatically? Yes, you can download and install all security updates/upgraded automatically in the background. It is done in an unattended way and installs security updates for you.

Adblock detected 😱

My website is made possible by displaying online advertisements to my visitors. I get it! Ads are annoying but they help keep this website running. It is hard to keep the site running and producing new content when so many people block ads. Please consider donating money to the nixCraft via PayPal/Bitcoin, or become a supporter using Patreon.

Why do I need an unattended way and installs security updates

Applying updates on a frequent basis is an important part of keeping systems secure. By default, updates need to be applied manually using package management tools. However, you can choose to have Debian automatically download and install important security updates. This guide shows you how to automatically download and install stable updates and security patches for Debian Linux server.

Installation

Type the following apt command or apt-get command to install unattended-upgrades package. You must install traditional simple command-line-mode mail user agent using bsd-mailx to get email notification. The tool apt-listchanges can compare a new version of a package with the one currently installed and show what has been changed, by extracting the relevant entries from the Debian changelog and NEWS files. The apt-listchanges will email you changes too. Let us install all of them:$ sudo apt install unattended-upgrades apt-listchanges bsd-mailx OR$ sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx Sample outputs:

Configuration file

You need to edit the file named /etc/apt/apt.conf.d/50unattended-upgrades$ sudo vi /etc/apt/apt.conf.d/50unattended-upgrades OR$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades The following controls which packages are upgraded in config file:

Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};

Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};

You need to configure an email address to get email when there is a problem or package upgrades. Of course you must have working email setup to this work:Unattended-Upgrade::Mail "notify@server1.cyberciti.biz"; Or at least send it to root user on the same system:Unattended-Upgrade::Mail "root"; Save and close the file. To activate unattended-upgrades, you need to make that the apt configuration has the following two lines. Use the cat command to view info:$ cat /etc/apt/apt.conf.d/20auto-upgrades Sample outputs:

It is possible to update or create this file using the following command:$ sudo dpkg-reconfigure -plow unattended-upgrades Sample outputs:Fig.01 Activate unattended-upgrades using command line AndFig.02 Activate unattended-upgrades using command line Finally edit the file named /etc/apt/listchanges.conf using a text editor such as vim command/nano command:$ sudo vi /etc/apt/listchanges.conf Set email address from:email_address=root To:email_address=notify@server1.cyberciti.biz Save and close the file. For more info see Unattended Upgrades.

This entry is 2 of 3 in the Applying Debian/Ubuntu Linux Security Updates/Patches series. Keep reading the rest of the series:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft:

8 comment

I suppose I could use this to run security updates irrespective of the weekly (every Friday) updates I run (after I disable security updates checking) anyway; I don’t wanna have the package lists auto-updated for nothing when I’ll update them manually anyway before I run updates or install something.

However, knowing we’re running Linux, and Linux allows to change the file you’re running, wouldn’t even security updates be for nothing without rebooting/reloading the file in question since AFAIK no process is auto-rebooted upon successful update ? That’s how I see it.